Add an option to disable dirauth ed25519 link key checks.

If there is some horrible bug in our ed25519 link authentication code that causes us to label every single ed25519-having node as non-running, we'll be glad we had this. Otherwise we can remove it later.
2024-11-10 13:13:44 +01:00 · 2016-11-10 12:41:17 -05:00 · 2016-11-10 12:41:17 -05:00 · 3d7e485402
commit 3d7e485402
parent 7daf152172
4 changed files with 18 additions and 2 deletions
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@ -2270,6 +2270,13 @@ on the public Tor network.
    (default), the flag "shared-rand-participate" is added to the authority
    vote indicating participation in the protocol. (Default: 1)

+[[AuthDirTestEd25519LinkKeys]] **AuthDirTestEd25519LinkKeys**  **0**|**1**::
+    Authoritative directories only. If this option is set to 0, then we treat
+    relays as "Running" if their RSA key is correct when we probe them,
+    regardless of their Ed25519 key. We should only ever set this option to 0
+    if there is some major bug in Ed25519 link authentication that causes us
+    to label all the relays as not Running.  (Default: 1)
+
 [[BridgePassword]] **BridgePassword** __Password__::
    If set, contains an HTTP authenticator that tells a bridge authority to
    serve all requested bridge information. Used by the (only partially
--- a/src/or/config.c
+++ b/src/or/config.c
@ -498,6 +498,7 @@ static config_var_t option_vars_[] = {
  V(User,                        STRING,   NULL),
  OBSOLETE("UserspaceIOCPBuffers"),
  V(AuthDirSharedRandomness,     BOOL,     "1"),
+  V(AuthDirTestEd25519LinkKeys,  BOOL,     "1"),
  OBSOLETE("V1AuthoritativeDirectory"),
  OBSOLETE("V2AuthoritativeDirectory"),
  VAR("V3AuthoritativeDirectory",BOOL, V3AuthoritativeDir,   "0"),
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@ -3186,7 +3186,8 @@ dirserv_orconn_tls_done(const tor_addr_t *addr,

  ri = node->ri;

-  if (ri->cache_info.signing_key_cert) {
+  if (get_options()->AuthDirTestEd25519LinkKeys &&
+      ri->cache_info.signing_key_cert) {
    /* We allow the node to have an ed25519 key if we haven't been told one in
     * the routerinfo, but if we *HAVE* been told one in the routerinfo, it
     * needs to match. */
@ -3256,6 +3257,7 @@ dirserv_should_launch_reachability_test(const routerinfo_t *ri,
 void
 dirserv_single_reachability_test(time_t now, routerinfo_t *router)
 {
+  const or_options_t *options = get_options();
  channel_t *chan = NULL;
  node_t *node = NULL;
  tor_addr_t router_addr;
@ -3266,7 +3268,8 @@ dirserv_single_reachability_test(time_t now, routerinfo_t *router)
  node = node_get_mutable_by_id(router->cache_info.identity_digest);
  tor_assert(node);

-  if (node_supports_ed25519_link_authentication(node)) {
+  if (options->AuthDirTestEd25519LinkKeys &&
+      node_supports_ed25519_link_authentication(node)) {
    ed_id_key = &router->cache_info.signing_key_cert->signing_key;
  } else {
    ed_id_key = NULL;
--- a/src/or/or.h
+++ b/src/or/or.h
@ -4577,6 +4577,11 @@ typedef struct {
  /** Autobool: Should we include Ed25519 identities in extend2 cells?
   * If -1, we should do whatever the consensus parameter says. */
  int ExtendByEd25519ID;
+
+  /** Bool (default: 1): When testing routerinfos as a directory authority,
+   * do we enforce Ed25519 identity match? */
+  /* NOTE: remove this option someday. */
+  int AuthDirTestEd25519LinkKeys;
 } or_options_t;

 /** Persistent state for an onion router, as saved to disk. */